Upgrade Apache Commons Collections to v3.2.2

[bramp]

Version 3.2.1 has a CVSS 10.0 vulnerability. That's the worst kind of vulnerability that exists. By merely existing on the classpath, this library causes the Java serialization parser for the entire JVM process to go from being a state machine to a turing machine. A turing machine with an exec() function!

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8103 https://commons.apache.org/proper/commons-collections/security-reports.html http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

[kdvolder]

Thanks. For us to accept and merge a contribution you need to sign the CLA (see comment and link at the bottom of the github README page for this project).

Let me know if you have signed the agreement and I'll merge it in.

[bramp]

My employer (Google) is unwilling to sign the CLA as is. I have started a conversation between our lawyers, and your lawyers. I'll ping this thread when a agreement has been decided.